Ivanti reports active exploitation of vulnerability in Cloud Services Appliance

Ivanti has confirmed that a high-severity vulnerability in its Cloud Services Appliance (CSA) is actively being exploited in the wild.  Initially it was reported that no exploitation was detected at the time of disclosure, but on September 13, 2024, Ivanti confirmed that a limited number of customers had been impacted following the public disclosure of the flaw.

The vulnerability, tracked as CVE-2024-8190 (CVSS score 7.2), was disclosed on September 10, 2024, and allows remote authenticated attackers with administrative privileges to execute arbitrary code via command injection.

The vulnerability is an operating system command injection flaw that affects Ivanti Cloud Services Appliance version 4.6 Patch 518 and earlier. To exploit this vulnerability, attackers must have administrative privileges, either obtained through legitimate credentials or via brute-force attacks. If successfully exploited, the flaw allows attackers to execute arbitrary commands on the underlying operating system, potentially leading to a full compromise of the affected appliance.

Ivanti CSA 4.6 is an end-of-Life device with last patch version of 519.  Ivanti strongly advises customers using the CSA 4.6 version to upgrade to CSA 5.0, as the latter does not contain this vulnerability and is currently supported. For customers still on CSA 4.6, upgrading to Patch 519 is the last available security update, and no further patches will be provided for this version.

Ivanti recommends that administrators:

• Review the configuration settings and access privileges for any new or modified administrative users.
• Check the broker logs on the local system and review alerts from Endpoint Detection and Response (EDR) or other security software for signs of exploitation attempts.
• Follow best practices for securing privileged accounts and monitor for unusual activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-8190 to its Known Exploited Vulnerabilities (KEV) catalog and mandated that Federal Civilian Executive Branch (FCEB) agencies patch affected systems by October 4, 2024. CISA warned that this type of vulnerability poses significant risks to federal enterprises and is a frequent attack vector for malicious cyber actors.